Re: ospf authentication from Brian McGahan on 2012-03-11 (Ccielab archives 03/2012)

From: Brian McGahan <bmcgahan_at_ine.com>
Date: Sun, 11 Mar 2012 10:49:36 -0500

This isn't saying what you're saying: http://goo.gl/SmxY2

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com

On Mar 11, 2012, at 3:33 AM, "Narbik Kocharians" <narbikk_at_gmail.com<mailto:narbikk_at_gmail.com>> wrote:

Brian,

This is not saying what you are stating:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

On Sat, Mar 10, 2012 at 11:56 PM, Brian McGahan <bmcgahan_at_ine.com<mailto:bmcgahan_at_ine.com>> wrote:
Technically NULL authentication means you are authenticating with any arbitrary string. If you read the OSPF specification (http://www.ietf.org/rfc/rfc2328.txt) is gives more detail:

D. Authentication

   All OSPF protocol exchanges are authenticated. The OSPF packet
   header (see Section A.3.1) includes an authentication type field,
   and 64-bits of data for use by the appropriate authentication scheme
   (determined by the type field).

   The authentication type is configurable on a per-interface (or
   equivalently, on a per-network/subnet) basis. Additional
   authentication data is also configurable on a per-interface basis.

   Authentication types 0, 1 and 2 are defined by this specification.
   All other authentication types are reserved for definition by the
   IANA (iana_at_ISI.EDU<mailto:iana_at_ISI.EDU>). The current list of authentication types is
   described below in Table 20.

                 AuType Description
                 ___________________________________________
                 0 Null authentication
                 1 Simple password
                 2 Cryptographic authentication
                 All others Reserved for assignment by the
                              IANA (iana_at_ISI.EDU<mailto:iana_at_ISI.EDU>)
<snip>

"NULL" authentication is technically not "no" authentication, but in reality it means the same thing. The key point is that there is a difference between then negotiation of the authentication *type* and the authentication *key*.

Both the authentication types and keys can be NULL. Even though "NULL" is a zero value, it still counts as a value. This is why if you configure two routers to authenticate each other with MD5 (Type 2) authentication, but don't set the key, it still works. This is because they have agreed on Authentication Type 2 (MD5) and Authentication Key NULL.

HTH,

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of Narbik Kocharians
Sent: Saturday, March 10, 2012 10:24 PM
To: Aaron
Cc: Joe Astorino; CCIE GROUPSTUDY
Subject: Re: ospf authentication

Aaron,

Remember that the "Ip ospf authentication null" is the command that is used to *disable* authentication. OSPF authentication can either be none (Or as Brian called it Null), simple or MD5. The authentication method none (Null), means that you have *no* authentication.

On Sat, Mar 10, 2012 at 5:36 PM, Aaron <aaron1_at_gvtc.com<mailto:aaron1_at_gvtc.com>> wrote:

> But that's where it was weird (unless I'm not understanding what you
> are saying).
>
> I did this
>
> Router ospf 1
> Area 0 auth messag
>
> r6(config-subif)#do sh ip osp | in auth
> Area has message digest authentication
>
> and it seems that even with that turned on I can neighbor up with
> routers and I don't even have to provide a md5 password anywhere. Is
> that called type 0, 1, or 2? I'm getting the impression that what
> I've done was a half-baked type 2. In other words it ain't truly type
> 2 md5 auth until the int config "ip osp mess 1 md5 cisco" is applied. True?
>
> Aaron
>
>
> -----Original Message-----
> From: Joe Astorino [mailto:joeastorino1982_at_gmail.com<mailto:joeastorino1982_at_gmail.com>]
> Sent: Saturday, March 10, 2012 7:24 PM
> To: Aaron; CCIE GROUPSTUDY
> Subject: Re: ospf authentication
>
> There are 3 types
>
> NULL, Clear text and MD5. So technically it can work without a
> password using NULL authentication type
>
>
>
> On 3/10/12, Aaron <aaron1_at_gvtc.com<mailto:aaron1_at_gvtc.com>> wrote:
> > Isn't it weird that ospf authentication works even without a password?
> >
> >
> >
> > I enabled area 0 authentication and it works, even before I ever
> > specify a password anywhere.
> >
> >
> >
> > Aaron
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > ____________________________________________________________________
> > __ _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
> --
> Sent from my mobile device
>
> Regards,
>
> Joe Astorino
> CCIE #24347
> http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
*Narbik Kocharians
*CCSI#30832, CCIE# 12410 (R&S, SP, Security)
*www.MicronicsTraining.com<http://www.MicronicsTraining.com>* <http://www.micronicstraining.com/>
Sr. Technical Instructor
YES! We take Cisco Learning Credits!
Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net

Received on Sun Mar 11 2012 - 10:49:36 ART

This archive was generated by hypermail 2.2.0 : Sun Apr 01 2012 - 07:56:52 ART